[PATCH 1/2] lxc_container: Check retval of capng_get_caps_process()

Michal Privoznik posted 2 patches 10 months, 1 week ago
[PATCH 1/2] lxc_container: Check retval of capng_get_caps_process()
Posted by Michal Privoznik 10 months, 1 week ago
Added in v0.6.5~14 the call to capng_get_caps_process() inside of
lxcContainerDropCapabilities() is not really explained in the
commit message. But looking into the libcap-ng sources it's to
initialize the internal state of the library.

But with recent libcap-ng commit [1] (which some bleeding edge
distros - like Fedora rawhide - already picked up) the function
has been marked as 'warn unused result'. Well, check for its
retval then.

1: https://github.com/stevegrubb/libcap-ng/commit/a0743c335c9a16a2fda9b25120a5523742119e47

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/lxc/lxc_container.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 21220661f7..4c37fcd012 100644
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -1725,7 +1725,13 @@ static int lxcContainerDropCapabilities(virDomainDef *def,
                                 CAP_SYSLOG,
                                 CAP_WAKE_ALARM};
 
-    capng_get_caps_process();
+    /* Init the internal state of capng */
+    if ((ret = capng_get_caps_process()) < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Failed to get current process capabilities %1$d"),
+                       ret);
+        return -1;
+    }
 
     /* Make sure we drop everything if required by the user */
     if (policy == VIR_DOMAIN_CAPABILITIES_POLICY_DENY)
-- 
2.41.0